Simon Says – Musings of a Technology CTO

“But if it’s encrypted, why do I need to login?” the customer across the desk asks me with incredulity.

I realise that I’m about to get into a discussion which boarders on theological and raises passion in both security and business leaders alike. A discussion that I’ve had many times over the last two years, and will have many more times in the near future.

“Because, without authentication, there’s no point to encryption”. I reply, knowing full well that this isn’t an answer that’s wanted, or understood.

With a stifled sigh I start to explain..

The question itself is a good one, even though IT security professionals cringe when asked. The hype of identity theft and data protection has forced many business leaders to implement data protection policies which don’t add to their bottom line.

Security is a tax…

One of my colleagues once professed this with a sage-like expression. No one wants to implement security, it adds complexity to the work environment, and no one ever made their business more efficient or profitable by forcing users to login, so naturally, since most of the hype and regulation specifically mentions or eludes to the “encryption of data”, why would people care about authentication? Surely if encryption of the data is what’s needed, then let’s just encrypt it – why add passwords or other authentication costs at all? What possible reason is there for companies to make sacrifices to the bottom line to protect data which, probably, no one is interested in?

We’ll never get a virus…

Remember hearing this from budget holders 10 years ago? Remember how hard it was to get approval to buy virus scanning software? How many people have that challenge today? You know you will get a virus if you don’t protect your machines. Data security is in a similar position, and, in a few years I fully believe we will catch up. We know that if we don’t protect our data, when our devices are stolen we’ll get nailed to a cross by Identity protection laws.

Do you have sensitive data?

It’s useful to step back and forget about technology and jargon when trying to understand the point of a high-tech system. Think about what you’re trying to achieve. Security, Encryption, Authentication etc are all concepts invented to do one simple thing – to stop people accessing information. You might have your pin number for your visa card stored in your outlook contacts, you may have designs for a new drug which you don’t want your competitors accessing, you may have the social security numbers and credit card details for your customer base on a laptop, or you may have the names and addresses for undercover CIA agents on your PDA.

With all this information, you probably don’t want certain people looking at it, be it your colleagues, the press, competitors, or the guy who stole your phone when you left it on the table in the restaurant. You certainly don’t want to have to admit to people you might have lost their data, and even more so, you don’t want to have to pay compensation for something which might never happen.

So how does encrypting this information help? Unfortunately on its own, surprisingly it does not.

CAR authentication.

No, I don’t want to talk about some new cryptographic process, I want to talk to plain old how-do-I-get-into-my-car.

Encryption is like a lock, for example the lock on your car doors, or the ignition lock. Why do we have locks on our cars? so that only certain people (with keys) can use them. If you really didn’t care who used your car or where it went, you might leave the key in the ignition, and the doors unlocked, but, most of us like to know where our car is, we like it to stay where we parked it, and we don’t want strangers driving off with it.

So, if encryption is the car locks, the car key is the authentication – you have the key to your car, so when you open the door or start the car, you’re authenticating yourself. By having the key you are saying “here’s proof I have permission to use this car”. It’s the same with data security. Encryption provides the means to deny access (lock) the data, and it’s the car key, or authentication, which gives you access.

If you wanted to lock your car, but didn’t want to have to bother about using a key to unlock it, you might leave the key in the door, or on top of the front wheel. You still have a locked car, but don’t have to worry about carrying a pesky key around.

Encryption without authentication is exactly this – it’s protecting data, but leaving the means to unprotect it exposed to anyone who looks for it.

Is it the lock which provides the security, or is it the fact you have to use a key providing security? The lock is the means of making sure you have the right key, the same as data encryption forces you to perform authentication. The lock prohibits bypassing ownership of the key.

Encryption is a means to enforce authentication.

Back to my confused customer, asking the very legitimate question why he needs a password when the data is encrypted. In this case we were talking about McAfee Endpoint Encryption for PCs (EEPC), one of our products which fully encrypts every sector of data on a users laptop, and provides a login page before the operating system starts. What the customer was looking for was a solution which would allow them to encrypt everything (thus satisfying the many regulations and controls the company was subject to which mention encryption), but wasn’t going to inflict another password on the user.

Normally EEPC would ask the user to login when they turned the machine on (before Windows starts), ignoring the features the product has to synchronise this login with their Windows details, we can all appreciate that moving the login from Windows to the pre-boot environment adds some challenges. Tools such as SMS require a little more thought, you can’t just reboot or WOL a protected machine for example – it will require a login before the OS starts up, so, encrypting the drive, but skipping the annoying pre-boot login seems the ultimate solution. It seems a good thing but there’s a fundamental flaw:

You left your car key in the door…

In this situation, a machine which is encrypted, but doesn’t require a login is a car which is locked, but doesn’t require you to carry a key. The key’s in the car door, in our computer world, the details necessary to unlock the encryption must be stored on the machine itself.

How else could it decrypt the drive without the user doing anything? Everything the machine needs to decrypt MUST be stored on the machine itself. This is immutable.

Back again to our customer who asks “but I still have a Windows login, that will protect me”.

Well, if that truly was the case (and there weren’t a dozen easy ways to bypass it), why were they or any of the thousands of customers who buy 3rd party security software considering encryption at all? – of course, the regulations require encryption.
Again, this is a good question which we shouldn’t dismiss lightly. It deserves a quality response. The simple answer is, well, maybe it is enough. It depends entirely on how much your data is worth.

If your PDA really does have the names and addresses of undercover CIA agents on it, I expect you are taking pretty good care of it. The data is probably worth millions of dollars, and if Al Qaeda got hold of it, probably a few lives. People are probably following you around trying to steal it.

If you just have your latest tax return on your laptop, then (with due respect) it’s probably not worth that much. If you are a corporate user, its maybe somewhere in the middle, especially if you’d have to write to all your customers and give them free identity theft counselling and “fess up” if your machine/usb stick/DVD was stolen.

So, if you really only have your tax return on your machine, probably a windows password and disk encryption without authentication will protect you unless you really have someone stalking you. To extract data from a fully encrypted machine with Windows authentication only, someone would have to do something like plug an ipod into your firewire port to get the decryption key out of, or slave your drive and debug the boot process to find the point where the key gets read of the disk (remember, the key is stored there on the drive, whatever product you’re using), or use the latest Windows network exploit.

Obviously this would need some skill, not something your average Windows user is going to possess, but, probably not more than your typical 2600 group member, defcom attendee, or computer hobbyist.

Perhaps more worrying is that once someone writes a tool to break a particular product in this mode, it will work on all machines for everyone – the attack isn’t machine specific as the tool’s just looking for information which is stored on the drive.

If you feel you might want to keep your data out of the press and competitors hands, maybe you should give authentication another chance. There are a lot of choices for users today, from simple passwords, to smart cards, usb keys, biometrics and all kinds of innovative tokens.

With proper education and explanation you’ll find your users will accept authentication without resistance. They are already used to it and substituting one password for another does not make much difference to the “user experience”.

Until the panacea of reliable, secure, transportable biometric authentication is realised, my advice is to keep your keys in your pocket, not in your car door.